A hacker exploited Humanity Protocol on the Binance Smart Chain (BSC) to mint 100 million $H tokens, flooding the market with supply and dragging down the token’s price. The breach, which the protocol confirmed this week, has sent shockwaves through the project’s community and renewed questions about the security of blockchain applications that rely on off-chain components.
How the attacker pulled it off
The attacker gained access to Humanity Protocol’s minting function on BSC, bypassing the intended restrictions. In a single transaction, they created 100 million $H tokens — a figure equivalent to roughly 10% of the token’s total supply, according to blockchain data. The minted tokens were immediately moved to decentralized exchanges, where they were swapped for other assets.
Humanity Protocol has not disclosed the exact vulnerability that allowed the unauthorized minting. But the incident points to a weakness in the project’s off-chain infrastructure — the systems that manage access keys, authorization logic, or administrative controls outside the smart contract itself.
Selling pressure hits the market
Within hours of the mint, the $H token price dropped sharply as the hacker’s newly created tokens hit liquidity pools. Trading volume spiked, and holders rushed to sell. The selling pressure has not fully subsided; the token is still trading well below its pre-breach level. Investors who bought into the protocol’s identity-verification vision are now left with losses and uncertainty.
The incident is a stark reminder that even tokens deployed on a secure blockchain can be undermined if the project’s own operations are compromised. In this case, the attacker didn’t break the smart contract — they broke into the system that controls it.
The off-chain security gap
Blockchain security often focuses on code audits and on-chain exploits. But the Humanity Protocol hack shows that the weakest link can be off-chain: the servers, APIs, or private keys that govern administrative functions. Industry observers have long warned that many projects spend heavily on smart contract audits while neglecting the security of their broader infrastructure.
For Humanity Protocol, the immediate task is to lock down those off-chain access points and determine whether the attacker exploited a stolen key, a compromised API endpoint, or a vulnerability in the protocol’s web interface. The team has said it is working with security partners and law enforcement, but has not provided a timeline for recovery or compensation for affected token holders.
What remains unclear is whether the hacker can mint more tokens, or whether the breach has been fully contained. Until Humanity Protocol provides a detailed post-mortem, the $H market will likely remain on edge.
